Permissions for Exchange Server 2007

MAPI Permissions

The MAPI permission requirements for Exchange Server 2007 are:

•Administer information store

To assign the service account the required permissions at the Exchange Server level, follow these steps depending on how your Exchange environment is configured.

If inheritance to the individual stores is enabled, to set the required permissions at the server level, follow these steps:

1.Open the Exchange Management Shell and connect to Exchange Server.
 

2.Type the following line, and then press ENTER:
 
Get-MailboxServer <Exchange2007> | Add-ADPermission -User <Account> -AccessRights GenericRead, GenericWrite -ExtendedRights ms-Exch-Store-Admin
 
where <Exchange2007> is the name of the Microsoft Exchange Server server and <Account> is the name of the account to which the permissions will be assigned. If <Exchange2007> is omitted, the right will be assigned to all servers in your organisation.

If inheritance to the individual stores is not enabled, to set the required permissions at the store level, follow these steps:

1.Open the Exchange Management Shell and connect to Exchange Server.
 

2.Type the following line, and then press ENTER:
 
Get-MailboxDatabase <MailboxDatabase> | Add-ADPermission -User <Account> -AccessRights GenericRead, GenericWrite -ExtendedRights ms-Exch-Store-Admin
 
where <MailboxDatabase> is the name of the mailbox database and <Account> is the name of the account to which the permissions will be assigned. If <MailboxDatabase> is omitted, the rights will be assigned to all databases in your organisation.
 

Important When a new mailbox database is created, step 2 must be repeated.

3.Type the following line, and then press ENTER:
 
Get-PublicFolderDatabase <PublicFolderDatabase> | Add-ADPermission -User <Account> -AccessRights GenericRead, GenericWrite -ExtendedRights ms-Exch-Store-Admin
 
where <PublicFolderDatabase> is the name of the Public Folder database and <Account>is the name of the account to which the permissions will be assigned. If <PublicFoldersDatabase> is omitted, the right will be assigned to all Public Folder databases in your organisation.

Important When a new Public Folder database is created, step 3 must be repeated.

Note Any account that is a member of the Domain Admins group and none of the Exchange security groups will already have the necessary permissions.

Exchange Web Services (EWS) Permissions

The EWS permission requirements for Exchange Server 2007 are:

•Application Impersonation

To assign the service account the required Exchange Server permissions, follow these steps:

1.Open the Exchange Management Shell and connect to Exchange Server.
 

2.Type the following line, and then press ENTER:
 
Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | Add-ADPermission -User <Account> -ExtendedRight ms-Exch-EPI-Impersonation
 
where <Account> is the name of the account to which the impersonation right will be assigned; this will allow the specified account to submit an impersonation call through any Client Access Server in your organisation.
 

3.Type the following line, and then press ENTER:
 
Get-MailboxDatabase | Add-ADPermission -User <Account> -ExtendedRights ms-Exch-EPI-May-Impersonate
 
where <Account> is the name of the account to which the impersonation right will be assigned; this will allow the specified account to impersonation all mailboxes in your organisation.

Note The account must be a member of the Domain Users group only. Membership of the Domain Admins group or any of the built-in Exchange security groups may deny required permissions.